PRIVACY & CONFIDENTIALITY
KDH'S Full Privacy Policy

Overview | Policy | FAQ | Health Record | Links

KIRKLAND AND DISTRICT HOSPITAL  

KIRKLAND AND DISTRICT HOSPITAL PRIVACY POLICY

The Kirkland and District Hospital recognizes the importance of privacy and the sensitivity of Personal Health Information (“PHI”).  We are committed to protecting any personal health information that we hold.  This Privacy Policy outlines how we manage this information and safeguard privacy. 

Definitions

Any references to “information” means PHI as defined by (“PHIPA”) Personal Health Information Protection Act, 2004 (Ontario).  See Appendix 1 for specific definitions. 

PHIPA Is the Law

Starting November 1, 2004, any health information custodian (“HIC”) in the Ontario health care system that collects, uses or discloses PHI must comply with the Personal Health Information Protection Act, 2004.

The Kirkland and District Hospital is a HIC and is responsible for the PHI we collect, use, maintain and disclose, as set out in this Policy. 

What Information Do We Collect From The Patient?

Generally, we will ask the patient to give us information about their health and their family’s health that we need to care for them. 

We will collect information from the patient for the following purposes, which are our “main activities”: caring for the patient, administration of the Hospital and the health care system, teaching, limited research, statistics and complying with legal and regulatory requirements.

We will either directly tell the patient why we are collecting their information or we will post a notice or give them information that describes why we are collecting their information.

We will only collect information from the patient indirectly (e.g., from other health care providers or from the patient’s family and friends) if necessary to provide the patient  with care, when they cannot provide the information themself or cannot consent to providing the information themself.

How Do We Use Patient Information?

Patient  information is given to the patient’s caregivers in the Kirkland and District Hospital to be used to care for them.  Our directors, employees, professional staff (doctors, dentists, midwives, and nurse practitioners), volunteers and students are trained and understand that patient information is private and can only be used or accessed to care for them or carry out our main activities. 

People who have a contract to provide services to the Kirkland and District Hospital (such as fixing equipment, maintaining computers) may have access to patient information, and we take steps through our contracts to make sure this information is kept private.

Unless we have a patient’s consent to use their information for research purposes, their information will only be used for research if the strict process (ensuring both privacy and ethical conduct) in PHIPA is followed by both the Hospital and the researcher.

If we use patient  information for any purpose other than our main activities, we will ask the patient’s permission.

When Will We Disclose Patient  Information?
 

Unless the patient  tells us not to, we will disclose their information to other health care providers in the “Circle of Care” who need to know this information to provide the patient with care or help to provide the patient with care.  The “Circle of Care” includes health care professionals, pharmacies, laboratories, ambulance, nursing homes, CCACs and home service providers who provide the patient with health care services.

Unless the patient tells us not to, we will tell anyone who calls the Hospital or visits the Hospital asking about the patient that:

The patient is in the Hospital (Room #); and

The patient’s  basic health condition (critical, fair, poor, etc.). (Nursing Units)

Unless the patient tells us not to, if the patient gives us information about their religious affiliation, we will give the patient’s name and room number to our Hospital’s representative of the patient’s religious affiliation.

Unless the patient tells us not to, we will give their name and address to our Foundation, which may contact the patient  for fundraising purposes.  The patient  can ask not to be contacted for fundraising at any time.

Sometimes the law requires us to disclose information about the patient, for example -  to OHIP for payment purposes.  We will only disclose patient  information when the law requires or permits us to do so.

Getting The Patient’s Consent

The patient’s consent to our collection, use or disclosure of their information may be implied or expressed.   In certain circumstances we will always ask for the patient’s expressed consent.

• Where we are disclosing patient  information to someone who is not a HIC (e.g., to their insurer or employer); and

• Where we are disclosing patient  information to someone who is a HIC but for purposes other than providing the patient with health care.

Where we obtain a patient’s implied consent, the patient will have been provided with a notice (either posted in a place where the patient is likely to see it or directly given to the patient) and a chance to withhold their consent. 

The patient may withdraw or limit their consent at any time, unless doing so prevents the hospital from recording the information we require from the patient  at law or under professional standards.  The patient can give an express instruction that specific information not be used or disclosed.

We may sometimes collect, use or disclose the patient’s personal information without their consent in limited instances that are expressly permitted by PHIPA.  For example, some statutes require disclosure of patient information, such as the Coroners Act and the Vital Statistics Act.

Retaining Patient  Information and Disposing of Patient Information

We retain patient information in the Kirkland and District Hospital or in premises controlled by the Hospital in a secure manner and keep it for as long as necessary to fulfill the purposes for which it was collected, or as required by law.

The Kirkland and District Hospital has a policy in place to address the retention and destruction of records in the Hospital.  This policy sets out minimum and maximum retention periods and complies with applicable laws governing retention of information.

Where a patient has requested access to a record with their information, we will retain that record until the patient’s access request is exhausted.

Accuracy of  Patient Information

We take reasonable steps to ensure that patient information is as accurate, complete and up-to-date as necessary on collection.  We will not routinely update information in our control unless routine updates are necessary to fulfill the purposes for which the information was collected.  We take reasonable steps to ensure that any information that is used by the Kirkland and District Hospital on an ongoing basis, including any information that is routinely disclosed to others under this Policy, is accurate, complete and up-to-date.  Where we know that information is not accurate, complete or up-to-date, this fact will be indicated at the time of use or disclosure. 

Security of Patient Information

Patient  information in the custody or control of the Kirkland and District Hospital is protected by security safeguards.  These security safeguards are in keeping with industry standards and are designed to protect patient information against loss or theft as well as unauthorized access, disclosure, copying, use or modification.

Among the steps we take to protect patient information are:

• premise security, including locked filing cabinets where cabinets are located in publicly accessible areas;

• restricted access to information stored electronically;

• using technological safeguards like security software and firewalls to prevent hacking or unauthorized computer access; and

• internal password and security policies.

Hospital agents are aware of the importance of keeping patient information confidential.  As a condition of employment or obtaining/maintaining privileges, all Hospital agents are required to sign a Confidentiality Agreement, which is reviewed and renewed annually during the agent’s performance review.

We will notify the patient  at the first reasonable opportunity if their information is lost, stolen, or subject to unauthorized access, disclosure, copying, use or modification.

How A Patient Can Access Their Information

A patient can request access to any records in the Hospital’s custody or control that contain their information by writing to our Privacy Contact.  The guidelines for processing these requests are available on request.  The patient will receive at least a preliminary response from the Privacy Contact within 30 days, and a full response within 60 days.

The patient’s  right to access their information is not a given.  We may deny access when:

• denial of access is required or authorized by law (e.g., there is a court order prohibiting access); or

• where the request is frivolous or vexatious or in bad faith.

If the Privacy Contact refuses a patient access to their records, there will be a reason given, and the patient will also be notified of their right to complain to the IPC (“Information and Privacy Commissioner of Ontario”).

The patient is also entitled to challenge the accuracy or completeness of any of their information in our custody or control.  Requests to challenge and/or change patient information should be directed to the Privacy Contact.  The patient will receive at least a preliminary response from the Privacy Contact within 30 days, and a full response within 60 days.

We may charge the patient a reasonable fee (based on cost recovery) for copies of their information.  We will advise them of any fee before we make copies.

Challenging Us

The patient is  entitled to challenge our compliance with the principles set out in this Policy.  Please direct any challenge in writing to our Privacy Contact.

Anyone who submits a written complaint, challenge or inquiry will be given a written copy of our procedures governing such complaints, challenges and inquiries.

We will investigate all complaints received.  If a complaint is found to have merit, we will take appropriate measures to address the complaint, including, if necessary, taking disciplinary action against Hospital agents and/or amending our policies and practices relating to management of patient information. 

Compliance with this Policy

All Hospital agents (employees, directors, volunteers, students and professional staff members) are required to know and comply with this Policy.  Annual confirmation of compliance is required.  Any breach of this Policy may result in significant disciplinary action, including:

• for employees and volunteers:  suspension, demotion, and termination; and

• for professional staff members:  restriction or revocation of privileges, in whole or in part.

Agents may only use patient information as permitted by the Hospital and within the same legal limitations imposed on the Hospital.  All agents must notify the Hospital at the first reasonable opportunity if the patient’s information is lost, stolen or accessed without authorization.

Our Privacy Contact

The Chief Executive Officer (“CEO”) of the Hospital is ultimately responsible for ensuring accountability and compliance with this Policy.  The CEO appoints a member of our staff to act as the Hospital’s Privacy Contact; the Privacy Contact reports directly to the CEO.  The Privacy Contact may delegate to others the day-to-day supervision of the collection, use and disclosure of information. 

To reach the Privacy Contact:

Address:                   
Kirkland and District Hospital
Bag Service 3000
Kirkland Lake, ON P2N 3P4
Phone Number          (705) 568-2217
Fax Number               (705) 568-2103
E-mail address          Privacy@kdhospital.com

Appendix 1 – Definitions

Agent

Anyone authorized by the Hospital to collect, use or disclose PHI on behalf of the Hospital and not for the agent’s own purposes; (for example, employees; persons contracted to provide services who have access to PHI (records management, copying or shredding records); health professionals with privileges; volunteers; directors; students

Circle of Care

Those HICs indicated under the definition of HIC with an asterisk (*HIC), for the purpose of providing health care or assisting in providing health care within the continuum of care

HIC (Health Information Custodian) includes:

• *the Hospital

• *health care practitioners

• chiropractors; registered drugless practitioner; social worker; person whose primary function is to provide health care (acupuncturist, psychotherapy)

• NOT aboriginal healers; aboriginal midwives; faith healer

• *service providers to CCAC

• *CCAC

• *public, private, or mental hospitals

• *psychiatric facilities under Mental Health Act

• *independent health facilities

• *homes for aged, nursing homes

• *pharmacies

• *laboratories

• *ambulance

• *community health or mental health centres whose primary purpose is providing health care

• evaluators under Health Care Consent Act or assessors under Substitute Decisions Act (capacity)

• medical officer of health and board of health under Health Protection and Promotion Act

• Minister and Ministry

• others as provided under the regulations

IPC – Information and Privacy Commissioner of Ontario

PHI (Personal Health Information)

Information, oral or recorded, about an individual that does or could identify that individual and that:

• relates to physical or mental health

• includes family history as it is reflected in record of PHI

• identifies the health care provider

• relates to payments or eligibility for health care

• relates to donation of body part or bodily substance

• includes the health number (replaces Health Cards and Numbers Control Act)

• identifies SDM (Substitute Decision-Maker)

• includes any non-health information that is in record that is identifying

PHIPA – Personal Health Information Protection Act, 2004 (Ontario)

Privacy Contact – Hospital employee identified at end of this Policy

SDM – Substitute Decision-Maker